The massive number of APIs that has been developed over the last few years amid mushrooming of apps in India, pose immense cybersecurity challenge to data-driven businesses, experts said.
Cybersecurity analysts say by 2025, more than 50% of data theft will be due to unsecure Application Programming Interface (APIs) as organisations are adding them without adequate security tests. APIs are the lynchpin of data-driven business businesses as they are open building blocks which connect the frontend to the backend of any app.
Sunil Sharma, managing director, sales, India and SAARC, Sophos, says “In layman’s language, if you are sitting inside a restaurant, the only way you can communicate with the restaurant’s kitchen is through a waiter who does the job of a messenger and tells the kitchen about your order and then gets your food delivered. APIs are just like these waiters. What if the waiter forgets your order or serves a wrong dish?”
Sharma adds if an API does not properly authenticate and authorise the user or application, it can be susceptible to unauthorised access.
Businesses even open their APIs to other service providers so that the latter can build their customised solutions for customers, says Mohit Joshi, co-founder, AppSentinels.ai. For example, if one books a cab through Ola or Uber, the cab aggregator uses the Google Maps API. Similarly, while paying to a shopper via UPI, Razorpay queries (ask for access) an API. Even when one signs up on a website using his/her social media account, the latter’s API ensures authentication. “With life becoming so easy and data transfer happening seamlessly through these APIs, what would happen if APIs are hacked?” Joshi asks.
The importance of API security is more today because every business is transforming digitally. Venkatesh Sundar, founder, president Americas, Indusface, says, “App to app traffic is fuelled due to explosion of API economy and IoT devices. Today, the internet traffic between app to app communications might be more than human to app /websites traffic.” Sundar says vulnerable or hacked APIs can reveal financial, medical, and personal data to public.
Ram Movva, chairman and cofounder, Securin, says keeping in mind that an API is a mini webapp, the same security measures that are taken for webapps must be taken for APIs too. But that mindset is lacking. In a webapp when the user interface (UI) is modified, it is visible and therefore testing is completed instantly. Whereas an API is not visible to the end users, and often developers release it in a rush without testing for security, Movva says.
All organisations are in a rush for adoption of their platform / product / service and are adding APIs swiftly to add functionality. API adoption is going to be very quick and will have a huge footprint in terms of connecting disparate apps. So, it is natural that API breaches will increase in the future. Continuously assessing the security posture of APIs must be part of cyber hygiene.
Sanjay Nagraj, co-founder and CTO, Traceable.AI, says not only have APIs become the universal attack vector, they also expand the attack surface across all vectors – the largest attack surface that has been encountered in the industry.
API security is still a relatively new space, but it’s gaining traction given the recent, high-profile data breaches as a direct result of exploited APIs. The majority of solutions in existence are really looking at just the edge. They’re not going deep into their systems and the APIs.
According to Gartner, last year in 2022, API abuse became the most frequent attack vector for data breaches; and by 2024, API abuses and related data breaches will nearly double. From T-Mobile to LinkedIn and even Venmo, consumers and companies are feeling the repercussions of API abuse, Nagraj says.
Zombie/forgotten APIs
The other problem is that organisations simply do not know how many APIs they have, what those APIs are doing, and where they reside. Managing API sprawl can be complex, especially when attempting to secure multiple APIs that are constantly changing and evolving. As the number of APIs increases, it becomes that much more difficult to secure them effectively.
Zombie APIs are deprecated APIs that developers assume are inactive and disabled, but that are actually lurking in the background, incredibly vulnerable to being exploited. They are often excluded from regular security upgrades and their outdated nature is less likely to stand a chance when hackers embrace new attack techniques.